| 2008-12-21 01:36:29 |
Anders Kaseorg |
bug |
|
|
added bug |
| 2008-12-21 02:08:19 |
Anders Kaseorg |
bug |
|
|
added subscriber Bryce Harrington |
| 2008-12-21 08:10:06 |
Launchpad Janitor |
xorg: status |
New |
Fix Released |
|
| 2008-12-22 07:14:38 |
Anders Kaseorg |
xorg: status |
Fix Released |
New |
|
| 2008-12-22 07:14:38 |
Anders Kaseorg |
xorg: statusexplanation |
|
Thanks for the quick upload, but you’ve introduced a syntax error in /etc/gdm/failsafeXinit (empty shell functions are not allowed), breaking the failsafe menu entirely:
run_terminal() {
# Causes bug #310126
# gnome-terminal
}
This might be fortunate from a security standpoint, though, because “Open a terminal” is not the only possible attack on the menu. Some others that I found fairly quickly are
Troubleshoot the error → Review the xserver log file → File → Open → /etc/passwd
Troubleshoot the error → Review the startup errors → File → Open → /etc/passwd
Troubleshoot the error → Edit configuration file → File → Open → /etc/passwd
And who knows what damage you might be able to do even with just dexconf or xorgconf (setting a malicious ModulePath?).
Basically, all options other than “Run Ubuntu in low-graphics mode for just this session” are fundamentally dangerous; they need to be password-protected. |
|
| 2008-12-22 08:07:26 |
Bryce Harrington |
xorg: status |
New |
Fix Released |
|
| 2008-12-22 08:07:26 |
Bryce Harrington |
xorg: statusexplanation |
Thanks for the quick upload, but you’ve introduced a syntax error in /etc/gdm/failsafeXinit (empty shell functions are not allowed), breaking the failsafe menu entirely:
run_terminal() {
# Causes bug #310126
# gnome-terminal
}
This might be fortunate from a security standpoint, though, because “Open a terminal” is not the only possible attack on the menu. Some others that I found fairly quickly are
Troubleshoot the error → Review the xserver log file → File → Open → /etc/passwd
Troubleshoot the error → Review the startup errors → File → Open → /etc/passwd
Troubleshoot the error → Edit configuration file → File → Open → /etc/passwd
And who knows what damage you might be able to do even with just dexconf or xorgconf (setting a malicious ModulePath?).
Basically, all options other than “Run Ubuntu in low-graphics mode for just this session” are fundamentally dangerous; they need to be password-protected. |
No, there's no actual way to run that function from the UI. It is entirely commented out from the menu.
Feel free to attach a patch if you'd like different behavior. |
|
| 2008-12-23 04:57:34 |
Anders Kaseorg |
xorg: status |
Fix Released |
New |
|
| 2008-12-23 04:57:34 |
Anders Kaseorg |
xorg: statusexplanation |
No, there's no actual way to run that function from the UI. It is entirely commented out from the menu.
Feel free to attach a patch if you'd like different behavior. |
Yes, the “Open a terminal” attack is gone now, but there are still other attacks that I mentioned above. The “Troubleshoot the error” option leads to a menu including three options that each launch gedit as root (“Review the xserver log file”, “Review the startup errors”, “Edit configuration file”). gedit can be used to edit the /etc/passwd file, for example, and compromise the system almost as quickly. I’ll retitle the bug to make the scope of the problem clearer.
These vulnerabilities are present in both Intrepid and Jaunty. |
|
| 2008-12-23 04:58:25 |
Anders Kaseorg |
title |
failsafeXinit: “Open a terminal” option does not ask for a password! |
failsafeXinit: launches gnome-terminal or gedit as root without a password |
|
| 2008-12-23 07:33:06 |
Bryce Harrington |
xorg: status |
New |
Incomplete |
|
| 2008-12-23 07:33:06 |
Bryce Harrington |
xorg: statusexplanation |
Yes, the “Open a terminal” attack is gone now, but there are still other attacks that I mentioned above. The “Troubleshoot the error” option leads to a menu including three options that each launch gedit as root (“Review the xserver log file”, “Review the startup errors”, “Edit configuration file”). gedit can be used to edit the /etc/passwd file, for example, and compromise the system almost as quickly. I’ll retitle the bug to make the scope of the problem clearer.
These vulnerabilities are present in both Intrepid and Jaunty. |
So do you have a patch to propose? Otherwise this may need to wait a bit. |
|
| 2009-02-11 06:05:01 |
Bryce Harrington |
xorg: status |
Incomplete |
Invalid |
|
| 2009-02-12 10:24:04 |
Anders Kaseorg |
xorg: status |
Invalid |
New |
|
| 2009-02-12 10:24:04 |
Anders Kaseorg |
xorg: statusexplanation |
So do you have a patch to propose? Otherwise this may need to wait a bit. |
This vulnerability has not gone away; failsafeXinit still allows an untrusted user to run gedit as root. I don’t have an ultimate solution, but removing the three vulnerable options would be a good first step. We could then open up this bug (or a new bug) so that other contributors can figure out how to add back this functionality in a secure way. |
|
| 2009-02-16 09:40:00 |
Anders Kaseorg |
bug |
|
|
added attachment 'xorg_7.4~5ubuntu13.debdiff' (debdiff for Jaunty) |
| 2009-02-16 09:41:32 |
Anders Kaseorg |
bug |
|
|
added attachment 'xorg_7.4~5ubuntu3.1.debdiff' (debdiff for Intrepid) |
| 2009-03-12 18:49:28 |
Kees Cook |
xorg: status |
New |
Triaged |
|
| 2009-03-12 18:49:28 |
Kees Cook |
xorg: assignee |
|
bryceharrington |
|
| 2009-03-12 18:49:28 |
Kees Cook |
xorg: importance |
Undecided |
Medium |
|
| 2009-03-12 18:49:28 |
Kees Cook |
xorg: statusexplanation |
|
|
|
| 2009-03-12 18:49:28 |
Kees Cook |
xorg: milestone |
|
ubuntu-9.04-beta |
|
| 2009-03-12 18:50:43 |
Kees Cook |
xorg: status |
New |
Triaged |
|
| 2009-03-12 18:50:43 |
Kees Cook |
xorg: assignee |
|
bryceharrington |
|
| 2009-03-12 18:50:43 |
Kees Cook |
xorg: importance |
Undecided |
Medium |
|
| 2009-03-12 18:50:43 |
Kees Cook |
xorg: statusexplanation |
|
bpx needs to prompt for a root password if one exists. "sulogin" has a similar behavior. |
|
| 2009-03-17 07:12:48 |
Bryce Harrington |
title |
failsafeXinit: launches gnome-terminal or gedit as root without a password |
[failsafeXinit] launches gnome-terminal or gedit as root without a password |
|
| 2009-03-17 09:18:55 |
Bryce Harrington |
xorg (Ubuntu Jaunty): status |
Triaged |
Fix Committed |
|
| 2009-03-18 21:00:32 |
Launchpad Janitor |
xorg: status |
Fix Committed |
Fix Released |
|
| 2009-03-30 20:55:25 |
Kees Cook |
visibility |
private |
public |
|
| 2009-10-13 23:08:48 |
Bryce Harrington |
xorg (Ubuntu Intrepid): assignee |
Bryce Harrington (bryceharrington) |
|
|
| 2009-12-05 05:25:24 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/xorg |
|
| 2010-05-07 23:27:24 |
Alex Valavanis |
xorg (Ubuntu Intrepid): status |
Triaged |
Invalid |
|
